Requesting check of scan logs.

A long time ago, we noticed a program with Chinese characters on the computer. We disabled it and forgot about it.

We have since installed WinPatrol. It repeatedly pops up a window saying that a new startup program has been added, but details are entirely blank. There is no icon, no title, and no manufacturer. When we try to deny the program, we get a scary message saying it is in a key location for Windows and should not be nuked unless we are sure it's safe to do so. If we deny it anyway, the alert keeps coming back.

We haven't noticed any other strange behavior or problems on the computer, but I thought a cleaning was in order given these issues.

We are running Windows Vista Home Premium on an Acer Aspire E380desktop.

We ran your procedure, and logs are attached. Thank you very much for any help you can give!

 

Here is the additional log. Thanks for being here....It's much, much appreciated!

 

Oh, one more observation:

When we boot up now, there is a window indicated on the taskbar for eRecoveryAgent that does not pop up into an actual window when you click on it. If you right-click it, the options are:

Move
Close
(Chinese characters) ERAgent(A)...


I do not know what this means.

Thanks again for your help.

 

I just got barraged with a bunch of startup program alerts from WinPatrol, and one alert for a new Windows service. They included the following:

1. SysMonitor.exe
2. (Acer Assist) launcher.exe
3. ??????????????e (No other information given)
4. eAPLauncher.exe
5. (blank program - No other information given, same warning)
6. New Windows Service: appmgmts (in system 32)

If I deny any of them, the alerts keep coming back.



Also, I just noticed a new file on the desktop, desktop.ini. It reads as follows:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183
[LocalizedFileNames]
Windows Mail.lnk=@%ProgramFiles%\Windows Mail\WinMail.exe,-225
Internet Explorer.lnk=@%windir%\System32\ie4uinit.exe,-731


Thank you again for your help.

 

Sorry for the delay in responding, and thank you for still being here. Norton Internet Security expired since I wrote to you. I put Panda Internet Security on the computer, instead. Panda did not identify any malware.

Since adding Panda Internet Security to the computer, I have not noticed any WinPatrol alerts; however, the mysterious "???????????" file is still listed in startup. Also, I have been getting alerts about network intruders, which is new (but I don't know if Norton even had this capability).

The registry addition you gave me was successful. However, I cannot find either of the files you instructed me to delete.

The only files in C:\Windows\Temp are cteng*.dat files (a whole bunch), MP*.log files (2), and PSSysChk.log.

When I go to C:\Users\atlantic\AppData\Local\temp, there are folders for eDataSecurity, Low, and WPDNSE. There are files for ~DF*.tmp (a whole bunch), atlantic.bmp, and jusched.log. I cannot find anything like Rar$EX00.066.

If I were on XP, I would do a search for the files to see if they could be anywhere else, but the Vista search engine perplexes me. I tried to search from the box on top of the C: drive window and it didn't find anything, but I am not positive I did the search correctly.


I ran the C:\MGtools\GetLogs.bat file. The log is attached.

Thank you again for helping me figure this out. I am so grateful for your help.

 

Sorry. Here is the MGTools log.

 

Thank you very much for identifying those files. I did delete them. They did not appear in the recycle bin on the desktop, but I found them in C:\$RECYCLE.BIN\Recycle Bin. There is also a file in the $RECYCLE.BIN folder called S-1-5-21-1184643003-4113689745-3837433256-1000, to which access is denied (the icon is faded out). I don't understand why I have a recycle bin on the desktop and then this file in C.

I have a couple of other questions, if you don't mind. In googling the at1.job file, what I have found seems to suggest that the file is created by other malware or network shares and reflects a task associated with malware, rather than the malware itself (if that makes sense). I am wondering why deleting the job file is enough to make sure the problem is entirely gone.

Do you have an idea of how the job files got there, and how I can be sure I am not still vulnerable to a problem? I don't understand shares at all. How can I ensure that my shares are all valid?

Also, I still have the mystery ?????????? file in startup. What was your thought about this file? Do you have any idea what it is?

I'm sorry if these are stupid questions, and I hope you don't mind my asking them. I very much appreciate your help and expertise.

 

at1.job is back again today, after having been deleted yesterday.

i also found it on our other computer, also in the Tasks folder. please help me understand what's happening here.